mass mail!!! HELP

**SetLar8** · 01-14-2006 07:37 PM

Hi, someone on my server is sending out mass mail which is slowing my server right down.

All i can see in the CPU usage section is 100s of the following process:

18284 mailnull 0 0.0 0.4 /usr/sbin/exim -Mc 1ExvkC-0004kd-C9

How can i find out what account is send this mail?

Thanks.

**SetLar8** · 01-14-2006 11:35 PM

hi, im still having this problem. please see the attachment text file for a fill rundown of the server load.

any help on stopping this is appreciated.

Thanks

**SetLar8** · 02-13-2006 08:35 PM

Hi, im having the same problem only i cannot find the user that is sending the mail.

I have looked through the logs and all i can see is user=nobody.

How can i find out which account is send the mail?

Thanks.

**/bin/bash.org** · 02-13-2006 09:16 PM

Well, there's a few ways.

First - look at the obvious. If someone is abusing one of your customer's contact/feedback forms, look at the addresses on the outgoing mail. Do they all include a recipient like 'info@oneofyourdomains.com' ? Chances are, that's your culprit because the form is also hardcoded to include your customer as a recipient.

If they are abusing some other kind of form, you might be able to do some other investigating. Issue this command - grep 'cwd=' /var/log/exim_mainlog . If your logging allows it*, you should see a great deal of output. I'd be suspicious of a lot of anything that appears to point at /home (ie here's a legitimate one from one of my customer's forms - "2006-02-14 11:33:50 cwd=/home/betterhm/public_html 3 args: /usr/sbin/sendmail -t -i").

Hopefully one of these two should get you some results.

* You may need to increase the logging of exim. WHM -> Service Configuration -> Exim Configuration Editor -> Advanced Mode. In the VERY TOP box, add "log_selector = +all" (without the quotes) and save.

**SetLar8** · 02-13-2006 10:15 PM

Exim statistics from 2006-02-12 04:20:30 to 2006-02-14 03:09:39

Grand total summary
-------------------
At least one address
TOTAL Volume Messages Hosts Delayed Failed
Received 95MB 22758 347 7379 32.4% 12976 57.0%
Delivered 55MB 18780 1898

Deliveries by transport
-----------------------
Volume Messages
boxtrapper_autowhitelist 340KB 269
local_delivery 42MB 432
mailman_virtual_transport 342 1
remote_smtp 12MB 18000
virtual_userdelivery 1331KB 78

Messages received per hour (each dot is 84 messages)
----------------------------------------------------

00-01 3954 ...............................................
01-02 2805 .................................
02-03 2151 .........................
03-04 598 .......
04-05 297 ...
05-06 419 ....
06-07 510 ......
07-08 278 ...
08-09 343 ....
09-10 362 ....
10-11 379 ....
11-12 406 ....
12-13 347 ....
13-14 340 ....
14-15 270 ...
15-16 301 ...
16-17 226 ..
17-18 306 ...
18-19 164 .
19-20 142 .
20-21 159 .
21-22 183 ..
22-23 3613 ...........................................
23-24 4205 ..................................................

Deliveries per hour (each dot is 45 deliveries)
-----------------------------------------------

00-01 2211 .................................................
01-02 1439 ...............................
02-03 307 ......
03-04 122 ..
04-05 543 ............
05-06 860 ...................
06-07 1035 .......................
07-08 508 ...........
08-09 703 ...............
09-10 734 ................
10-11 758 ................
11-12 773 .................
12-13 688 ...............
13-14 612 .............
14-15 513 ...........
15-16 536 ...........
16-17 367 ........
17-18 598 .............
18-19 316 .......
19-20 237 .....
20-21 338 .......
21-22 375 ........
22-23 1941 ...........................................
23-24 2266 ..................................................

This is far to many and must be a spammer. I have tried your tips above but cannot find the account that is send the emails it just comes up with nothing.

I really need help fid this person.

**SetLar8** · 02-13-2006 10:23 PM

Ok now all i get is when i run "grep 'cwd=' /var/log/exim_mainlog" is:

2006-02-14 03:16:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfv-0004tm-D4
2006-02-14 03:16:26 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfw-0004ts-Gz
2006-02-14 03:16:26 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:26 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfw-0004tt-PW
2006-02-14 03:16:26 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfw-0004ts-Gz
2006-02-14 03:16:27 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfy-0004ty-8I
2006-02-14 03:16:27 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:27 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfy-0004ty-8I
2006-02-14 03:16:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfy-0004u2-M2
2006-02-14 03:16:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfz-0004u4-Gz
2006-02-14 03:16:28 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:29 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfz-0004u4-Gz
2006-02-14 03:16:29 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfz-0004u5-KY
2006-02-14 03:16:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg0-0004uA-T9
2006-02-14 03:16:30 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:30 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg0-0004uA-T9
2006-02-14 03:16:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg1-0004uB-9X
2006-02-14 03:16:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg2-0004uG-D9
2006-02-14 03:16:31 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg2-0004uH-Fj
2006-02-14 03:16:31 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg2-0004uG-D9
2006-02-14 03:16:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg3-0004uM-Df
2006-02-14 03:16:32 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:32 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg3-0004uM-Df
2006-02-14 03:16:33 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg3-0004uS-W1
2006-02-14 03:16:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg4-0004uU-Bk
2006-02-14 03:16:34 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg4-0004uV-J5
2006-02-14 03:16:34 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg4-0004uU-Bk
2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg6-0004ua-2I
2006-02-14 03:16:38 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:38 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg6-0004ua-2I
2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg6-0004ue-BH
2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004ug-6o
2006-02-14 03:16:38 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:38 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgA-0004ug-6o
2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004uh-GG
2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004um-QU
2006-02-14 03:16:39 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004un-RO
2006-02-14 03:16:39 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgA-0004um-QU
2006-02-14 03:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgB-0004us-KZ
2006-02-14 03:16:40 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgB-0004uw-Qv
2006-02-14 03:16:40 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgB-0004us-KZ
2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgC-0004uy-AE
2006-02-14 03:16:41 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:41 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgC-0004uy-AE
2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgC-0004v0-HD
2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004v4-9p
2006-02-14 03:16:41 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:42 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004v5-CP
2006-02-14 03:16:42 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgD-0004v4-9p
2006-02-14 03:16:43 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgE-0004vF-9y
2006-02-14 03:16:43 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004vB-Tv
2006-02-14 03:16:43 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:43 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgD-0004vB-Tv
2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgF-0004vK-8p
2006-02-14 03:16:44 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgF-0004vL-D7
2006-02-14 03:16:44 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgF-0004vK-8p
2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vN-2r
2006-02-14 03:16:44 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vR-Ah
2006-02-14 03:16:45 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgG-0004vN-2r
2006-02-14 03:16:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vT-TO
2006-02-14 03:16:45 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgH-0004vV-8c
2006-02-14 03:16:46 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgG-0004vT-TO
2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgH-0004va-WB
2006-02-14 03:16:47 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:47 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgH-0004va-WB
2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgI-0004ve-KP
2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vg-7n
2006-02-14 03:16:47 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vh-B3
2006-02-14 03:16:48 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgJ-0004vg-7n
2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vm-Rw
2006-02-14 03:16:48 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgK-0004vo-57
2006-02-14 03:16:49 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgJ-0004vm-Rw
2006-02-14 03:16:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgK-0004vs-OY
2006-02-14 03:16:50 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:50 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgK-0004vs-OY
2006-02-14 03:16:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgL-0004vw-1n
2006-02-14 03:16:51 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgM-0004w1-7L
2006-02-14 03:16:52 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgM-0004vy-3p
2006-02-14 03:16:52 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:53 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgM-0004vy-3p
2006-02-14 03:16:57 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgO-0004w7-Cu
2006-02-14 03:16:57 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:57 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgO-0004w7-Cu
2006-02-14 03:16:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgP-0004wB-3A
2006-02-14 03:16:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgT-0004wF-PC
2006-02-14 03:16:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgT-0004wE-Kn
2006-02-14 03:16:59 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:16:59 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgT-0004wE-Kn
2006-02-14 03:17:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgV-0004wO-VO
2006-02-14 03:17:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgV-0004wL-Fn
2006-02-14 03:17:02 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:17:03 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgV-0004wL-Fn
2006-02-14 03:17:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgZ-0004wX-GB
2006-02-14 03:17:05 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:17:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgY-0004wV-T1
2006-02-14 03:17:07 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgb-0004wb-Vg
2006-02-14 03:17:07 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:17:07 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgb-0004wb-Vg
2006-02-14 03:17:07 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgY-0004wV-T1
2006-02-14 03:17:07 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wg-3C
2006-02-14 03:17:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wi-Dv
2006-02-14 03:17:08 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgd-0004wg-3C
2006-02-14 03:17:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wh-Bi
2006-02-14 03:17:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qge-0004wm-Ba
2006-02-14 03:17:14 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:17:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgk-0004wy-KF
2006-02-14 03:17:15 cwd=/ 3 args: /usr/sbin/sendmail -t -i
2006-02-14 03:17:15 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgk-0004wy-KF

There has to be something i can do? Please i need to find this person.

**/bin/bash.org** · 02-14-2006 06:28 PM

I think you are going to have to give us some more information. Can you post a (not too huge) chunk of some of exim_mainlog that shows some of these spams being sent? Hopefully you have the logging at maximum as I suggested above.

**WestBend** · 02-14-2006 10:30 PM

switch on phpsuexec for a day.

LinkBack

Thread Tools

mass mail!!! HELP

[Request] mass backup and mass restore

Mass delete E-mail Accounts

mass changing sub domains mail to :fail:

Advice please with mass mail problem.

Server sending mass mail to .com.br